Hi. I have Windows XP. ZoneAlarm virus scan found a problem this morning but wasn't able to do anything with it. It showed up as globalroot\Device\__max++> with a dll extension. I've tried to run MalwareBytes and Hijack this and get the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them." I tried to run them in safe mode but get the same message.
I downloaded and ran AntiVir and combofix - that didn't seem to do anything, although while ComboFix was running, AntiVir popped up and asked me what to do with two threats, and I clicked on the delete button. I noticed that I now have no system restore points.
I ran the Win32kDiag and this is the log:
Running from: C:\Documents and Settings\Linda\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Linda\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Finished!
Thanks for any help!
Full Version: Can't run MalwareBytes or HijackThis
Go to start > run and copy and paste the following command in the field:
"%userprofile%\desktop\win32kdiag.exe" -f -r
This should restore permissions on locked files and remove mountpoints.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
Once you've gotten one of them to run then try to immediately run the following.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
"%userprofile%\desktop\win32kdiag.exe" -f -r
This should restore permissions on locked files and remove mountpoints.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
Once you've gotten one of them to run then try to immediately run the following.
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
----------------------------------------------------------- - Double click on combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
HijackThis still won't run. Here's the combofix log:
ComboFix 09-10-25.02 - Linda 10/26/2009 16:51.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1042 [GMT -4:00]
Running from: c:\documents and settings\Linda\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-23 19:41 . 2008-04-14 00:11 56320 ----a-w- C:\eventlog.dll
2009-10-23 18:28 . 2009-10-23 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-23 12:47 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-23 12:47 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-23 12:47 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-23 12:47 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\program files\Avira
2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-23 12:40 . 2009-10-23 20:04 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-10-23 12:38 . 2009-10-23 12:38 -------- d-----w- c:\program files\Trend Micro
2009-10-21 16:04 . 2009-10-21 16:43 -------- d-----w- c:\program files\Magic Editor
2009-10-20 12:29 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-20 12:03 . 2009-10-20 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-10-18 19:15 . 2009-10-18 19:15 -------- d-----w- c:\documents and settings\Linda\Local Settings\Application Data\Ahead
2009-10-18 17:22 . 2009-10-18 17:26 -------- d-----w- c:\documents and settings\Linda\Application Data\Nero
2009-10-18 17:18 . 2009-10-18 17:19 -------- d-----w- c:\program files\Common Files\LightScribe
2009-10-18 16:49 . 2009-10-18 16:49 -------- d-----w- c:\documents and settings\Linda\Application Data\Ahead
2009-10-18 16:48 . 2009-10-18 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-10-18 16:42 . 2009-10-18 16:46 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-18 16:35 . 2009-10-18 16:42 -------- d-----w- c:\program files\Nero
2009-10-18 16:35 . 2009-10-18 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-18 16:35 . 2009-10-18 16:37 -------- d-----w- c:\program files\Common Files\Nero
2009-10-18 16:22 . 2009-10-18 16:22 158192 ------w- c:\windows\system32\pxwma.dll
2009-10-15 21:52 . 2009-10-15 21:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-15 10:54 . 2009-10-15 10:54 -------- d-----w- c:\documents and settings\Linda\Local Settings\Application Data\PCHealth
2009-10-04 12:42 . 2009-10-19 12:30 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-03 11:37 . 2009-10-03 11:38 -------- d-----w- C:\rwc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 20:59 . 2009-01-15 15:17 1025868064 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-26 20:32 . 2009-01-15 15:11 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-26 20:17 . 2007-07-12 23:35 -------- d-----w- c:\documents and settings\Linda\Application Data\Chaos Software
2009-10-26 12:04 . 2008-12-25 19:33 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-26 02:02 . 2009-01-15 15:17 13713572 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-25 22:40 . 2007-01-22 14:04 -------- d-----w- c:\program files\PrimoPDF
2009-10-25 21:10 . 2008-07-25 19:55 -------- d-----w- c:\documents and settings\Linda\Application Data\IObit
2009-10-25 21:10 . 2008-07-25 18:59 -------- d-----w- c:\program files\IObit
2009-10-25 15:41 . 2009-05-17 15:39 65 ----a-w- c:\windows\system32\BD7420.dat
2009-10-23 16:50 . 2008-09-01 21:33 -------- d-----w- c:\program files\Google
2009-10-23 12:33 . 2008-10-17 14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 20:01 . 2008-08-14 15:56 -------- d-----w- c:\program files\DYMO Label
2009-10-18 16:22 . 2007-01-10 14:31 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-10-18 16:22 . 2002-12-17 17:32 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-18 16:22 . 2002-12-17 17:32 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-17 12:56 . 2007-01-10 22:08 -------- d-----w- c:\program files\WinFax
2009-10-09 19:41 . 2008-09-27 17:56 -------- d-----w- c:\program files\MSECACHE
2009-10-05 13:54 . 2009-09-23 19:30 -------- d-----w- c:\program files\DeltaCopy
2009-10-04 19:35 . 2007-05-17 01:03 -------- d--h--w- c:\documents and settings\Linda\Application Data\Move Networks
2009-10-03 16:58 . 2007-11-22 19:01 -------- d-----w- c:\program files\Intuit
2009-10-03 16:27 . 2007-01-08 22:08 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-03 16:14 . 2007-08-02 17:56 -------- d-----w- c:\documents and settings\Linda\Application Data\Download Manager
2009-09-25 20:12 . 2007-02-21 18:24 -------- d-----w- c:\program files\TurboTax
2009-09-23 19:27 . 2009-09-23 19:24 -------- d-----w- c:\documents and settings\Linda\Application Data\NetDrive
2009-09-18 01:23 . 2007-01-09 21:32 -------- d-----w- c:\program files\Mozy
2009-09-15 15:59 . 2009-08-06 02:19 2522424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-14 17:04 . 2008-06-05 00:41 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-10-17 14:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-10-17 14:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:19 . 2008-12-28 17:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 21:31 . 2009-08-07 21:31 4500 ----a-w- C:\activesynclogs.bat
2009-08-07 18:12 . 2007-01-04 23:35 104496 ----a-w- c:\documents and settings\Linda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2007-01-04 22:59 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2007-01-04 22:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-01-04 22:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2007-01-04 22:59 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2007-01-04 22:59 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-04-23 12:42 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-04-23 12:42 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2007-01-04 22:59 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-12 14:02 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 01:31 . 2009-08-04 15:04 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-07-29 01:31 . 2009-08-04 15:04 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-07-29 01:31 . 2009-08-04 15:04 26120 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-07-29 01:31 . 2009-08-04 15:04 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-07-09 21:17 . 2009-07-09 21:15 8086 --sh--r- c:\program files\uninstall.log
2007-06-04 13:31 . 2007-06-02 15:16 106 ----a-w- c:\program files\piconfig.lx
2008-10-30 21:20 . 2008-10-30 19:52 24 --sh--w- c:\windows\S3AE1BF11.tmp
.
((((((((((((((((((((((((((((( SnapShot@2009-10-23_16.13.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 21:26 . 2009-10-25 21:26 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2009-10-23 16:50 . 2009-10-23 16:50 25214 c:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-10-23 16:50 . 2009-10-23 16:50 25214 c:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\ARPPRODUCTICON.exe
+ 2009-04-01 23:41 . 2009-10-26 12:05 694132 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-10-23 16:50 . 2009-10-23 16:50 914944 c:\windows\Installer\24c4ad.msi
+ 2009-04-01 23:33 . 2009-10-24 11:43 14054152 c:\windows\system32\ZoneLabs\spyware.dat
+ 2007-01-08 15:09 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
- 2007-01-08 15:09 . 2009-10-02 18:01 25198016 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-09-14 17:04 2847032 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-09-14 17:04 2847032 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mozybackup.exe"="c:\program files\Mozy\mozybackup.exe" [2009-03-16 78136]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2007-08-28 492912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^DING!.lnk]
backup=c:\windows\pss\DING!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wfxsvc"=3 (0x3)
"vsmon"=2 (0x2)
"TabletService"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"StreamloadService"=2 (0x2)
"MozyBackup"=2 (0x2)
"EPSONStatusAgent2"=3 (0x3)
"EpsonBidirectionalService"=3 (0x3)
"DM1Service"=2 (0x2)
"Crypkey License"=2 (0x2)
"brmfbags"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\CAT4\\casecatalyst.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/23/2009 8:47 AM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [8/11/2009 7:00 PM 13088]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/23/2009 2:28 PM 309008]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/8/2007 2:32 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [1/8/2007 2:32 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [1/8/2007 2:32 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/8/2007 2:32 PM 61440]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QuickBooks 2009\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QuickBooks 2009\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S0 tkjoumma;tkjoumma;c:\windows\system32\drivers\wumo.sys --> c:\windows\system32\drivers\wumo.sys [?]
S2 gupdate1c966b8e456733a;Google Update Service (gupdate1c966b8e456733a);c:\program files\Google\Update\GoogleUpdate.exe [12/25/2008 1:47 PM 133104]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [8/4/2009 11:04 AM 122504]
S3 MiraUSB2;Stenograph USB Writer Service;c:\windows\system32\drivers\SGUsb.sys [5/17/2007 11:51 AM 26208]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/24/2008 8:42 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/24/2008 8:42 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/24/2008 8:42 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [7/25/2008 5:51 PM 23680]
S3 ndfs;ndfs;\??\c:\program files\Netdrive\ndfs.sys --> c:\program files\Netdrive\ndfs.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 20:18]
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 20:18]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-261478967-682003330-1004Core.job
- c:\documents and settings\Linda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-23 15:33]
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-261478967-682003330-1004UA.job
- c:\documents and settings\Linda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-23 15:33]
2009-10-04 c:\windows\Tasks\Reporting.job
- c:\program files\DeltaCopy\Reporting.dcp [2009-10-04 21:17]
2009-10-22 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-01-27 21:34]
2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{5CAEC93B-3953-444E-9B4E-C88B86549D93}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\Juno\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\Juno\qsacc\appres.dll/227
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
IE: Send to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {A9667083-5060-4F44-88FB-9FF7487BBA1B} - hxxps://workplace.intuit.com/db/bd86zf4za/gl/qbconnector.cab
FF - ProfilePath - c:\documents and settings\Linda\Application Data\Mozilla\Firefox\Profiles\b58vve3u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={FCD8A6E9-3507-E9AE-A249-68D6BAF2DA1C}&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 16:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-26 17:01
ComboFix-quarantined-files.txt 2009-10-26 21:01
ComboFix2.txt 2009-10-23 18:22
ComboFix3.txt 2009-10-23 16:18
Pre-Run: 57,970,196,480 bytes free
Post-Run: 57,927,622,656 bytes free
- - End Of File - - B6F54D17A4839EE7629CF3E2CB26BFC6
ComboFix 09-10-25.02 - Linda 10/26/2009 16:51.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1042 [GMT -4:00]
Running from: c:\documents and settings\Linda\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-23 19:41 . 2008-04-14 00:11 56320 ----a-w- C:\eventlog.dll
2009-10-23 18:28 . 2009-10-23 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-10-23 12:47 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-23 12:47 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-23 12:47 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-23 12:47 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\program files\Avira
2009-10-23 12:47 . 2009-10-23 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-23 12:40 . 2009-10-23 20:04 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-10-23 12:38 . 2009-10-23 12:38 -------- d-----w- c:\program files\Trend Micro
2009-10-21 16:04 . 2009-10-21 16:43 -------- d-----w- c:\program files\Magic Editor
2009-10-20 12:29 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-20 12:03 . 2009-10-20 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-10-18 19:15 . 2009-10-18 19:15 -------- d-----w- c:\documents and settings\Linda\Local Settings\Application Data\Ahead
2009-10-18 17:22 . 2009-10-18 17:26 -------- d-----w- c:\documents and settings\Linda\Application Data\Nero
2009-10-18 17:18 . 2009-10-18 17:19 -------- d-----w- c:\program files\Common Files\LightScribe
2009-10-18 16:49 . 2009-10-18 16:49 -------- d-----w- c:\documents and settings\Linda\Application Data\Ahead
2009-10-18 16:48 . 2009-10-18 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-10-18 16:42 . 2009-10-18 16:46 -------- d-----w- c:\program files\Common Files\Ahead
2009-10-18 16:35 . 2009-10-18 16:42 -------- d-----w- c:\program files\Nero
2009-10-18 16:35 . 2009-10-18 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-18 16:35 . 2009-10-18 16:37 -------- d-----w- c:\program files\Common Files\Nero
2009-10-18 16:22 . 2009-10-18 16:22 158192 ------w- c:\windows\system32\pxwma.dll
2009-10-15 21:52 . 2009-10-15 21:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-15 10:54 . 2009-10-15 10:54 -------- d-----w- c:\documents and settings\Linda\Local Settings\Application Data\PCHealth
2009-10-04 12:42 . 2009-10-19 12:30 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-03 11:37 . 2009-10-03 11:38 -------- d-----w- C:\rwc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 20:59 . 2009-01-15 15:17 1025868064 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-26 20:32 . 2009-01-15 15:11 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-26 20:17 . 2007-07-12 23:35 -------- d-----w- c:\documents and settings\Linda\Application Data\Chaos Software
2009-10-26 12:04 . 2008-12-25 19:33 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-26 02:02 . 2009-01-15 15:17 13713572 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-25 22:40 . 2007-01-22 14:04 -------- d-----w- c:\program files\PrimoPDF
2009-10-25 21:10 . 2008-07-25 19:55 -------- d-----w- c:\documents and settings\Linda\Application Data\IObit
2009-10-25 21:10 . 2008-07-25 18:59 -------- d-----w- c:\program files\IObit
2009-10-25 15:41 . 2009-05-17 15:39 65 ----a-w- c:\windows\system32\BD7420.dat
2009-10-23 16:50 . 2008-09-01 21:33 -------- d-----w- c:\program files\Google
2009-10-23 12:33 . 2008-10-17 14:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 20:01 . 2008-08-14 15:56 -------- d-----w- c:\program files\DYMO Label
2009-10-18 16:22 . 2007-01-10 14:31 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-10-18 16:22 . 2002-12-17 17:32 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-18 16:22 . 2002-12-17 17:32 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-17 12:56 . 2007-01-10 22:08 -------- d-----w- c:\program files\WinFax
2009-10-09 19:41 . 2008-09-27 17:56 -------- d-----w- c:\program files\MSECACHE
2009-10-05 13:54 . 2009-09-23 19:30 -------- d-----w- c:\program files\DeltaCopy
2009-10-04 19:35 . 2007-05-17 01:03 -------- d--h--w- c:\documents and settings\Linda\Application Data\Move Networks
2009-10-03 16:58 . 2007-11-22 19:01 -------- d-----w- c:\program files\Intuit
2009-10-03 16:27 . 2007-01-08 22:08 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-03 16:14 . 2007-08-02 17:56 -------- d-----w- c:\documents and settings\Linda\Application Data\Download Manager
2009-09-25 20:12 . 2007-02-21 18:24 -------- d-----w- c:\program files\TurboTax
2009-09-23 19:27 . 2009-09-23 19:24 -------- d-----w- c:\documents and settings\Linda\Application Data\NetDrive
2009-09-18 01:23 . 2007-01-09 21:32 -------- d-----w- c:\program files\Mozy
2009-09-15 15:59 . 2009-08-06 02:19 2522424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-14 17:04 . 2008-06-05 00:41 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-09-11 14:18 . 2004-08-12 14:01 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-10-17 14:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-10-17 14:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:19 . 2008-12-28 17:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-12 14:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 14:09 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 14:06 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 21:31 . 2009-08-07 21:31 4500 ----a-w- C:\activesynclogs.bat
2009-08-07 18:12 . 2007-01-04 23:35 104496 ----a-w- c:\documents and settings\Linda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2007-01-04 22:59 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2007-01-04 22:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-01-04 22:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2007-01-04 22:59 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-12 13:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2007-01-04 22:59 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-04-23 12:42 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-04-23 12:42 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2007-01-04 22:59 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-12 14:02 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 01:31 . 2009-08-04 15:04 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-07-29 01:31 . 2009-08-04 15:04 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-07-29 01:31 . 2009-08-04 15:04 26120 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-07-29 01:31 . 2009-08-04 15:04 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-07-09 21:17 . 2009-07-09 21:15 8086 --sh--r- c:\program files\uninstall.log
2007-06-04 13:31 . 2007-06-02 15:16 106 ----a-w- c:\program files\piconfig.lx
2008-10-30 21:20 . 2008-10-30 19:52 24 --sh--w- c:\windows\S3AE1BF11.tmp
.
((((((((((((((((((((((((((((( SnapShot@2009-10-23_16.13.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 21:26 . 2009-10-25 21:26 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2009-10-23 16:50 . 2009-10-23 16:50 25214 c:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2009-10-23 16:50 . 2009-10-23 16:50 25214 c:\windows\Installer\{FE24D361-A3E8-11DE-88F3-005056806466}\ARPPRODUCTICON.exe
+ 2009-04-01 23:41 . 2009-10-26 12:05 694132 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-10-23 16:50 . 2009-10-23 16:50 914944 c:\windows\Installer\24c4ad.msi
+ 2009-04-01 23:33 . 2009-10-24 11:43 14054152 c:\windows\system32\ZoneLabs\spyware.dat
+ 2007-01-08 15:09 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
- 2007-01-08 15:09 . 2009-10-02 18:01 25198016 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-09-14 17:04 2847032 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-09-14 17:04 2847032 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mozybackup.exe"="c:\program files\Mozy\mozybackup.exe" [2009-03-16 78136]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2004-08-18 586896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2007-08-28 492912]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Linda^Start Menu^Programs^Startup^DING!.lnk]
backup=c:\windows\pss\DING!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wfxsvc"=3 (0x3)
"vsmon"=2 (0x2)
"TabletService"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"StreamloadService"=2 (0x2)
"MozyBackup"=2 (0x2)
"EPSONStatusAgent2"=3 (0x3)
"EpsonBidirectionalService"=3 (0x3)
"DM1Service"=2 (0x2)
"Crypkey License"=2 (0x2)
"brmfbags"=3 (0x3)
"AdobeActiveFileMonitor4.0"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\CAT4\\casecatalyst.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/23/2009 8:47 AM 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [8/11/2009 7:00 PM 13088]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [10/23/2009 2:28 PM 309008]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/8/2007 2:32 PM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [1/8/2007 2:32 PM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [1/8/2007 2:32 PM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/8/2007 2:32 PM 61440]
R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QuickBooks 2009\QBDBMgrN.exe -hvQuickBooksDB20 --> c:\progra~1\Intuit\QuickBooks 2009\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S0 tkjoumma;tkjoumma;c:\windows\system32\drivers\wumo.sys --> c:\windows\system32\drivers\wumo.sys [?]
S2 gupdate1c966b8e456733a;Google Update Service (gupdate1c966b8e456733a);c:\program files\Google\Update\GoogleUpdate.exe [12/25/2008 1:47 PM 133104]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [8/4/2009 11:04 AM 122504]
S3 MiraUSB2;Stenograph USB Writer Service;c:\windows\system32\drivers\SGUsb.sys [5/17/2007 11:51 AM 26208]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/24/2008 8:42 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/24/2008 8:42 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/24/2008 8:42 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [7/25/2008 5:51 PM 23680]
S3 ndfs;ndfs;\??\c:\program files\Netdrive\ndfs.sys --> c:\program files\Netdrive\ndfs.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 20:18]
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 20:18]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-261478967-682003330-1004Core.job
- c:\documents and settings\Linda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-23 15:33]
2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-261478967-682003330-1004UA.job
- c:\documents and settings\Linda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-23 15:33]
2009-10-04 c:\windows\Tasks\Reporting.job
- c:\program files\DeltaCopy\Reporting.dcp [2009-10-04 21:17]
2009-10-22 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-01-27 21:34]
2009-10-23 c:\windows\Tasks\User_Feed_Synchronization-{5CAEC93B-3953-444E-9B4E-C88B86549D93}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\Juno\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\Juno\qsacc\appres.dll/227
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
IE: Send to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {A9667083-5060-4F44-88FB-9FF7487BBA1B} - hxxps://workplace.intuit.com/db/bd86zf4za/gl/qbconnector.cab
FF - ProfilePath - c:\documents and settings\Linda\Application Data\Mozilla\Firefox\Profiles\b58vve3u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={FCD8A6E9-3507-E9AE-A249-68D6BAF2DA1C}&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 16:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-26 17:01
ComboFix-quarantined-files.txt 2009-10-26 21:01
ComboFix2.txt 2009-10-23 18:22
ComboFix3.txt 2009-10-23 16:18
Pre-Run: 57,970,196,480 bytes free
Post-Run: 57,927,622,656 bytes free
- - End Of File - - B6F54D17A4839EE7629CF3E2CB26BFC6
You did not post back the log results from this. I'd like to see that log please.
Go to start > run and copy and paste the following command in the field:
"%userprofile%\desktop\win32kdiag.exe" -f -r
This should restore permissions on locked files and remove mountpoints.
You also need to fully remove one of the Anti-Virus products as you can only have one installed at a time as they conflict with each other.
I would suggest removing the ZoneAlarm Suite for now and once we're done you can decide what you want to continue to run.
Also click on START - RUN and type in MSCONFIG and go to the Services Tab and set it to ENABLE ALL and reboot the computer
Then run it again and on the General tab make sure it's set to Normal Startup and reboot the computer again.
If you have trouble with it let me know.
Go to start > run and copy and paste the following command in the field:
"%userprofile%\desktop\win32kdiag.exe" -f -r
This should restore permissions on locked files and remove mountpoints.
You also need to fully remove one of the Anti-Virus products as you can only have one installed at a time as they conflict with each other.
I would suggest removing the ZoneAlarm Suite for now and once we're done you can decide what you want to continue to run.
Also click on START - RUN and type in MSCONFIG and go to the Services Tab and set it to ENABLE ALL and reboot the computer
Then run it again and on the General tab make sure it's set to Normal Startup and reboot the computer again.
If you have trouble with it let me know.
Please post an update on this. Thanks.
Are you still with us?
Sorry! I didn't know you had responded. I thought I'd get an e-mail notification.
I also thought I posted the log. Maybe I put the wrong one in? Which log do you want to see?
I found that AntiVir was running in the background at startup, so I'd uninstalled it before I saw your recommendation to remove ZoneAlarm.
Running the %userprofile%\desktop\win32kdiag.exe" -f -r gives the following:
Removing all found mount points
Attempting to reset file permissions
Warning - could not get backup privileges
Searching C:\Windows ...
Finished.
I reran Combo-Fix, and I've attached it in the upload box.
I also thought I posted the log. Maybe I put the wrong one in? Which log do you want to see?
I found that AntiVir was running in the background at startup, so I'd uninstalled it before I saw your recommendation to remove ZoneAlarm.
Running the %userprofile%\desktop\win32kdiag.exe" -f -r gives the following:
Removing all found mount points
Attempting to reset file permissions
Warning - could not get backup privileges
Searching C:\Windows ...
Finished.
I reran Combo-Fix, and I've attached it in the upload box.
Now I've done the msconfig reset for all services to run.
When I try to run %userprofile%\desktop\win32kdiag.exe" -f -r, it says C:\documents can't be found; win32kdiag is in the folder C:\Documents and Settings\Linda\Desktop.
I ran combo-fix again and have uploaded the log.
THANKS!
When I try to run %userprofile%\desktop\win32kdiag.exe" -f -r, it says C:\documents can't be found; win32kdiag is in the folder C:\Documents and Settings\Linda\Desktop.
I ran combo-fix again and have uploaded the log.
THANKS!
I don't see the new CF log that you said you uploaded. Please upload that log again.
Please run the following if you can. If not let me know.
Update and Scan with Malwarebytes' Anti-Malware
Then post back the MBAM log
Please run the following if you can. If not let me know.
Update and Scan with Malwarebytes' Anti-Malware
- Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
- Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
- When the update is complete, select the Scanner tab
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log
With the update and scan, it found 2 trojans not found before. I've uploaded the combo-fix log as an attachment.
Here's the Malwarebytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 3
10/30/2009 6:57:18 AM
mbam-log-2009-10-30 (06-57-18).txt
Scan type: Quick Scan
Objects scanned: 110219
Time elapsed: 6 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Linda\My Documents\downloads\GoogleEarthPluginSetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Linda\My Documents\downloads\GoogleEarthSetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Here's the Malwarebytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 3
10/30/2009 6:57:18 AM
mbam-log-2009-10-30 (06-57-18).txt
Scan type: Quick Scan
Objects scanned: 110219
Time elapsed: 6 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Linda\My Documents\downloads\GoogleEarthPluginSetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Linda\My Documents\downloads\GoogleEarthSetup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 02
Update and Scan with Malwarebytes' Anti-Malware
Then post back the MBAM log and a new Hijackthis log.
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
CODE
KILLALL::
Driver::
tkjoumma
File::
c:\windows\system32\drivers\wumo.sys
Driver::
tkjoumma
File::
c:\windows\system32\drivers\wumo.sys
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
- Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
- Disconnect from the Internet.
- Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
- A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
- It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 02
Update and Scan with Malwarebytes' Anti-Malware
- Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
- Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
- When the update is complete, select the Scanner tab
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.
When combofix ran, I walked away from the computer. When I came back, it had rebooted and ZoneAlarm was running and trying to prevent combofix from doing whatever it was doing. I thought about resetting the startup so that ZoneAlarm wouldn't start automatically and running combofix again, but you said not to run it more than once.
The log from Malwarebytes is posted below. I'll upload the combofix log.
I still can't run HijackThis. It says, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I'm the only user and the administrator on this computer.
Mbamlog:
Malwarebytes' Anti-Malware 1.41
Database version: 3085
Windows 5.1.2600 Service Pack 3
11/2/2009 9:23:51 AM
mbam-log-2009-11-02 (09-23-51).txt
Scan type: Quick Scan
Objects scanned: 109319
Time elapsed: 4 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The log from Malwarebytes is posted below. I'll upload the combofix log.
I still can't run HijackThis. It says, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I'm the only user and the administrator on this computer.
Mbamlog:
Malwarebytes' Anti-Malware 1.41
Database version: 3085
Windows 5.1.2600 Service Pack 3
11/2/2009 9:23:51 AM
mbam-log-2009-11-02 (09-23-51).txt
Scan type: Quick Scan
Objects scanned: 109319
Time elapsed: 4 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
STEP 01
Please download the following program to your desktop. Close all other open applications and then run the program.
It will restore file permissions to the system and automatically restart the computer when done.
restoredefaultperms.exe
STEP 02
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 03
Click on START - RUN and copy / paste the entry below into the run line and click OK
Click on START - RUN and copy / paste the entry below into the run line and click OK
Click on START - RUN and copy / paste the entry below into the run line and click OK
STEP 04
Now try to run HJT and see if you can run it and post back the log
Please download the following program to your desktop. Close all other open applications and then run the program.
It will restore file permissions to the system and automatically restart the computer when done.
restoredefaultperms.exe
STEP 02
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe
Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
CODE
KILLALL::
File::
c:\windows\system32\pxwma.dll
c:\windows\system32\BD7420.dat
c:\windows\S3AE1BF11.tmp
c:\program files\uninstall.log
File::
c:\windows\system32\pxwma.dll
c:\windows\system32\BD7420.dat
c:\windows\S3AE1BF11.tmp
c:\program files\uninstall.log
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
- Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
- Disconnect from the Internet.
- Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
- A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
- It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
Post back the Combofix log on your next reply.
STEP 03
Click on START - RUN and copy / paste the entry below into the run line and click OK
CODE
CMD /C NETSH FIREWALL RESET
Click on START - RUN and copy / paste the entry below into the run line and click OK
CODE
CMD /C NETSH int ip reset c:\resetlog.txt
Click on START - RUN and copy / paste the entry below into the run line and click OK
CODE
CMD /C netsh winsock reset catalog
STEP 04
Now try to run HJT and see if you can run it and post back the log
Hi. HijackThis still won't run, still gives the same message.
The restore default permissions program had three errors when it ran. I was able to get one of them. It was: "HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAI : 2 the system cannot...." When I go to regedit and click on that key, it says, ""Cannot open SAI. Error while opening key." The same for the one above it, SAC. They both appear to be empty. I don't know if this means anything or not, just thought I should mention it just in case.
I've uploaded the ComboFix log and one called a Reset log.
Thanks so much for all your help!!!!
The restore default permissions program had three errors when it ran. I was able to get one of them. It was: "HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\SAI : 2 the system cannot...." When I go to regedit and click on that key, it says, ""Cannot open SAI. Error while opening key." The same for the one above it, SAC. They both appear to be empty. I don't know if this means anything or not, just thought I should mention it just in case.
I've uploaded the ComboFix log and one called a Reset log.
Thanks so much for all your help!!!!
Okay, please run the following report and we'll see what else we can do. You appear to have some old left over software that we can remove
Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop
- Please include the following logs in your next reply: DDS.txt and Attach.txt
I've attached both logs. Thanks!
What is this in your installed program list? Advertising Center
You may want to review these post and make up your mind about this program IObit Security 360
IOBit Steals Malwarebytes' Intellectual Property
IOBit’s Denial of Theft Unconvincing
Please uninstall this old version of Java.
Java™ 6 Update 11
The current version is: 6 Update 17
Try uninstalling or deleting your current copy of HiJackThis and download a new copy and try to install and run it.
Notice these error from your logs:
11/3/2009 2:42:31 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom1.
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The QBCFMonitorService service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The MozyHome Backup Service service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:52:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
These may be a day old before this was fixed, but if you're still getting errors you may need to do some OS repair work to correct this.
You may want to review these post and make up your mind about this program IObit Security 360
IOBit Steals Malwarebytes' Intellectual Property
IOBit’s Denial of Theft Unconvincing
Please uninstall this old version of Java.
Java™ 6 Update 11
The current version is: 6 Update 17
Try uninstalling or deleting your current copy of HiJackThis and download a new copy and try to install and run it.
Notice these error from your logs:
11/3/2009 2:42:31 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom1.
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The QBCFMonitorService service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The MozyHome Backup Service service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:53:25 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/2/2009 9:52:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
These may be a day old before this was fixed, but if you're still getting errors you may need to do some OS repair work to correct this.
Hi. I did a search of the registry, and it appears that the Advertising Center has something to do with Nero software that came with a Lite-On DVD drive. It doesn't show up in my control panel or in the program files folder as a program.
I uninstalled Iobit Security 360. Thanks for the heads-up on that! I uninstalled the old Java. Also, I downloaded the remove netfx tool, uninstalled all the .net framework installations and reinstalled them one by one.
Then I downloaded HijackThis again, and it ran. Woo-hoo! I've uploaded the log.
Thanks!
I uninstalled Iobit Security 360. Thanks for the heads-up on that! I uninstalled the old Java. Also, I downloaded the remove netfx tool, uninstalled all the .net framework installations and reinstalled them one by one.
Then I downloaded HijackThis again, and it ran. Woo-hoo! I've uploaded the log.
Thanks!
Don't see any new log posted or attached.
Please click on START - RUN and type in EVENTVWR and take a look and see if you're still getting any RED or YELLOW entries in your Event Logs to indicate you're still having driver or software issues.
Please click on START - RUN and type in EVENTVWR and take a look and see if you're still getting any RED or YELLOW entries in your Event Logs to indicate you're still having driver or software issues.
It looks like the only errors I have now are in QuickBooks. I think I've gotten all the malware out of my computer, and everything is running okay. I thought I uploaded the HijackThis log. I'll do it now.
Thanks for all your help!!!!
It won't upload for some reason. It says I'm not permitted to upload this type of file. I'll paste it here, then.":
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:35 AM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Remind5\Reminder.exe
C:\PROGRA~1\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Symantec Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\1.1.5.15\coIEPlg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [mozystat.exe] C:\Program Files\Mozy\mozystat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: remind5.lnk = C:\Program Files\Remind5\Reminder.exe
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/con...s/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tba...pointsSetup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Nirvana/con...DiskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirvana/con...opAntiVirus.dll
O16 - DPF: {A9667083-5060-4F44-88FB-9FF7487BBA1B} (Intuit QuickBooks Connector) - https://workplace.intuit.com/db/bd86zf4za/gl/qbconnector.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirvana/con.../pcpitstop2.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - (no file)
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - c:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1c966b8e456733a) (gupdate1c966b8e456733a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\system32\Tablet.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
--
End of file - 11683 bytes
Thanks for all your help!!!!
It won't upload for some reason. It says I'm not permitted to upload this type of file. I'll paste it here, then.":
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:35 AM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Remind5\Reminder.exe
C:\PROGRA~1\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Linda\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Symantec Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\1.1.5.15\coIEPlg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [mozystat.exe] C:\Program Files\Mozy\mozystat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: remind5.lnk = C:\Program Files\Remind5\Reminder.exe
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/con...s/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://www.infospace.com/mypoints.main/tba...pointsSetup.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Nirvana/con...DiskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirvana/con...opAntiVirus.dll
O16 - DPF: {A9667083-5060-4F44-88FB-9FF7487BBA1B} (Intuit QuickBooks Connector) - https://workplace.intuit.com/db/bd86zf4za/gl/qbconnector.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirvana/con.../pcpitstop2.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - (no file)
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - c:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1c966b8e456733a) (gupdate1c966b8e456733a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\1.1.5.14\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\system32\Tablet.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
--
End of file - 11683 bytes
It looks like you may be running an old version of Java. Check and remove all old versions of Java. The latest version is 6 build 17
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 17.
Then maybe try re-installing Quick Books. Since the system appears to be clean now I'll leave you with this.
Click on START - RUN and type in Combo-Fix.exe /u to uninstall Combofix.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 17.
- Go to http://java.sun.com/javase/downloads/index.jsp
- Go to Java SE Runtime Environment (JRE) - JRE 6 Update 17 about half way down the page and click on the Download button.
- In Platform box choose Windows.
- Check the box to Accept License Agreement and click Continue.
- Click on Windows Offline Installation, click on the link under it which says jre-6u17-windows-i586.exe and save the downloaded file to your desktop.
- Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
- Uncheck the Toolbar button (unless you want the toolbar)
- Reboot your computer
Then maybe try re-installing Quick Books. Since the system appears to be clean now I'll leave you with this.
Click on START - RUN and type in Combo-Fix.exe /u to uninstall Combofix.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Remove all but the most recent Restore Point on Windows XPYou should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
- Give the new Restore Point a name, then click "Create".
- The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use the Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr.exe
- Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
- Click the "More Options" tab, then click the "Clean up" button under System Restore.
- Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
- Click Yes, then click Ok.
- Click Yes again when prompted with "Are you sure you want to perform these actions?"
- Disk Cleanup will remove the files and close automatically.
- On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
- These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.